Sunday, December 22, 2013

We need to take password security more seriously or seriously in general.

A lot of people use the same password on multiple sites. A lot of people have passwords that can be hacked in minutes or hours without two-factor authentication.

Please spend some time and listen to all 7 videos from Steve Gibson on this topic. In fact, this is a show on TWIT show called "Security Now". I am not in any way affiliated with TWIT.tv and Steve Gibson (grc.com), but I have to thank them for doing this episode. I am not affiliated with LastPass either. LastPass is a very good product but the point of my post is for you to listen about the security aspect of these videos, learn and most importantly apply in every day life.

Inside those text files you put the username and passwords for each site.

NOTE:
You would mount this volume ONLY when you want to get the username and password for a specific site and then you dismount after that and nobody would be able to access it as the whole volume is protected by a strong password and 256bit AES Whirlpool encryption.

(4)
If your TrueCrypt file is stored in your Dropbox folder, then it syncs to the cloud. Then if you have an iPhone, you can use "Disk Decipher" app in order to get the TrueCrypt volume mount on iPhone and keep it in memory. As soon as you leave the app, it gets dismounted automatically and the app itself can have another password on top the regular TrueCrypt mounting strong password that you used when creating the TrueCrypt file.

Pros of TrueCrypt or what it does as good as 1Password locally or LastPass in the cloud:

It has 256 bit encryption with strong password protection and you can choose the algorithm.

It is easy to use on your PC or Mac because it is just like any other volume on your computer where you can manage your files. You don't have to zip and un-zip a file constantly the way it is done for WinZip.

You can easily mount and dismount the volume ONLY when you need to use it.

Cons of TrueCrypt when used as password management tool:

When you mount a TrueCrypt volume, the contents of all files are in clear text. That means that if somebody hacks into your computer while your TrueCrypt volume is mounted, there is a chance that they will be able to just take all those files that are clear text. That's a big risk.

If you are on a mobile device, you can only use it as read-only. The mobile support for 1Password and LastPass is much better.

Conclusion:

TrueCrypt is a very good tool and in many ways I prefer it over WinZip, but I am not sure if I could live with the con outlined above when used for password management. It is up to you to decide for yourself. One hybrid approach that could make it much safer is that you use the TrueCrypt solution described above in combination with WinZip. You can have all those individual .txt files on the TrueCrypt volume zipped with WinZip and 256bit AES encryption. With this approach if somebody hacks your computer while your TrueCrypt volume is mounted, then they still have a challenge of decrypting the individual zip files. When this hybrid solution is used, it is definitely very safe and even safer than 1Password because you have double 256bit encryption, but you lose on the convenience factor; you will probably not be able to use it on a mobile device.

I use all four (TrueCrypt, WinZip, 1Password and LastPass) for different purposes utilizing what each does the best.

Disclaimer:

This is a personal blog. The opinions expressed here represent my own and not those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. In addition, my thoughts and opinions change from time to time I consider this a necessary consequence of having an open mind. This blog disclaimer is subject to change at anytime without notifications.

Disclaimer: This is a personal blog. The opinions expressed here represent my own and not those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. In addition, my thoughts and opinions change from time to time I consider this a necessary consequence of having an open mind. This blog disclaimer is subject to change at anytime without notifications.